Categories

Search

April 28, 2011

Today we're releasing RT 4.0.0. This release represents over a year
of hard work and more than 2000 commits. With a new major version
number, we took this opportunity to tidy up some of the older bits of RT
and allow us to grow features through the RT 4 series. We hope you'll
find it a worthy successor to RT 3.

Many, but not all, of our new features are the result of work done for
clients. Enhanced full-text search, the integration of RTFM as
Articles, refreshed ticket create and update pages, better control of
ticket notifications, Lifecycles, and quote-folding of emails in ticket
display all began life as extensions we built for clients.

We've also heard your requests in the form of feature requests, bug
reports and patches and they've driven our new theme for RT 4, a new
logo and theme editor, new custom field types and display options, the
mobile UI and reorganized and revised documentation. As a result of
your feedback, we also fixed hundreds of bugs and improved performance.

With so many changes by 16 authors over the course of a year, it would
be hard to summarize everything we added, fixed or improved. Over the
next few weeks, we'll be posting a series of articles on what's new in
RT 4.0 to this blog. A list of new features in RT
4.0 is also available at bestpractical.com/rt/whats-new-in-4.html.

We've done our best to ensure that upgrading from RT 3 to RT 4.0 will
be as smooth as possible for you. If you have questions as you upgrade,
please don't hesitate to write to rt-users@lists.bestpractical.com for
community support. If you'd rather have professional support from the
folks who built RT, drop us a line at sales@bestpractical.com.

We've talked our sales team into including free basic upgrades from RT 3
to RT 4 if you sign up for a new RT 4 support contract within the next
two months. The new RT 4 support contracts are less expensive and come
with lots of great new features.

April 14, 2011

In the process of preparing the release of RT 4.0.0, we performed an extensive security audit of RT's source code. During this audit, several vulnerabilities were found which affect earlier releases of RT. We are releasing versions 3.6.11, 3.8.10, and 4.0.0rc8 to resolve these vulnerabilities, as well as patches which apply atop 3.6.10 and all versions of RT 3.8.

RT versions 3.8.0 and above with the "external custom field" feature enabled and configured are vulnerable to a remote code execution vulnerability. An authenticated user (either privileged orunprivileged) can use this vulnerability to execute arbitrary code with the permissions of the webserver; they may also be tricked into doing so via cross-site request forgery (CSRF). The external custom field option is disabled by default; if you have not explicitly enabled "CustomFieldValuesSources" in your RT configuration, your RT instance is not vulnerable. We have been assigned CVE-2011-1685 for this vulnerability.

RT versions 2.0.0 and above are vulnerable to multiple SQL injection attacks. We do not believe these attacks to be capable of directly inserting, altering or removing data from the database, but an authenticated user (either privileged or unprivileged) could use them to retrieve unauthorized ticket data. Deployments since 3.6.0 are additionally vulnerable to a more complex attack, which can be used by a privileged user to retrieve arbitrary data from the database. We have been assigned CVE-2011-1686 for this vulnerability.

RT versions 3.0.0 and higher are vulnerable to an information leak wherein an authenticated privileged user could gain sensitive information, such as encrypted passwords, via the search interface. We have been assigned CVE-2011-1687 for this vulnerability. This vulnerability is particularly notable given RT's previous vulnerability with insecure hashing (CVE-2011-0009).

RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited degree, are vulnerable to a malicious attacker tricking the user into sending their authentication credentials to a third-party server. We have been assigned CVE-2011-1690 for this vulnerability.

RT versions 3.2.0 and above are vulnerable to a directory traversal attack where an unauthenticated attacker can read any file which is readable by the webserver. While some servers (Apache, nginx) have safeguards which mitigate this attack, preventing such traversals from accessing files outside of RT's document root, many others (including the standalone server provided with RT, plackup, starman, twiggy, and lighttpd) are vulnerable to this exploit. We have been assigned CVE-2011-1688 for this vulnerability.

RT versions 2.0.0 and above are vulnerable to javascript cross-site-scripting vulnerabilities, which allow an attacker to run javascript with the user's credentials. We have been assigned CVE-2011-1689 for this vulnerability.